Hierarchy and delegation — zones and responsibility

Domains are a tree of names; zones are a scope of responsibility

In Chapter 1 we framed DNS as a query for "name + type," and saw that the authoritative server is the one that holds that data. In this chapter we look at how that authority is divided — that is, who is responsible for which range of data.

One of the easiest confusions in DNS is that domains and zones sound like similar concepts but mean different things. A domain is a subtree of the namespace. A zone, on the other hand, is a unit of data that a particular group of authoritative servers is responsible for serving.

For example, example.com is a domain name, and if shop.example.com has not been delegated to another team, it simply stays inside the example.com zone. The moment you delegate that point to a different set of NS records, a zone cut (the boundary at which delegation splits responsibility between parent and child zones) appears, and responsibility splits between the parent zone and the child zone.

A DNS hierarchy diagram showing delegation from root to TLD to parent zone to child zone — The tree of names and the boundary where authoritative data is served are not necessarily the same. A zone cut is born at the point of delegation.

Check your understanding

0 / 5 correct. Correctness is stored only in this browser's localStorage.

Practice 2-1 — Separate namespace from scope of responsibility

Not conflating domains with zones is the core of this chapter.

Chapter 2 / Practice 1

Q6. Which is the most correct description of the relationship between a domain and a zone?

A A domain and a zone always match one-to-one, and delegating does not split them B A domain is a subtree of the namespace; a zone is the scope of responsibility for authoritative data, and delegation can split them C A domain is for A records only; a zone is for MX records only D A zone is a unit of the recursive resolver's cache; a domain is a unit of the browser's history

Show hint

Distinguish the boundary of the namespace from the boundary of authoritative management.

Chapter 2 / Practice 2

Q7. Suppose the parent holds `example.com`, and both `shop.example.com` and `eu.shop.example.com` are delegated to their own separate sets of NS records. Viewed as units of authoritative management, how many zones are there?

zones

Show hint

One parent zone + one per delegated child zone.

What happens at a zone cut

The parent zone holds an NS record that points to the child zone.
If needed, glue is attached on the parent side so you can start resolving the child's NS names.
The child zone has its own SOA and NS at its apex.
The recursive resolver receives a referral from the parent and moves on to the child's authoritative servers.

Element	General role	When you see it in practice
SOA	The start of the zone. The reference point for the serial and the various timers	When you want to see where the authoritative scope begins
NS	The group of authoritative servers that serve this zone	When you want to confirm the delegation target or the location of authoritative servers
glue	An auxiliary address so you can reach the delegated NS name	When the NS name lives under the child zone

Practice 2-2 — Confirm what is returned at the delegation boundary

If the roles of SOA / NS / glue are fuzzy, you lose your bearings in the middle of dig +trace.

Chapter 2 / Practice 3

Q8. When the authoritative server name for `shop.example.com` is something like `ns1.shop.example.com` — i.e. it lives under the child zone — what is the main reason glue is needed in the parent zone?

A To enable DNSSEC automatically B To give a first foothold for resolving the delegated NS name and to avoid a circular dependency C To return an HTTP redirect D To extend the TTL indefinitely

Show hint

Think about the loop where you want to reach that NS server, but to know its IP you would first need to enter the same child zone.

Chapter 2 / Practice 4

Q9. At the apex of a child zone, which records are usually placed first as part of being a delegated zone? Select all that apply.

A SOA B NS C CNAME D MX

Show hint

It is the things that mark the start of the zone and the group of authoritative servers that serve it.

Glue is "the first foothold"

Suppose the authoritative server name for shop.example.com is ns1.shop.example.com. To know the IP of that name, you would normally need information from the shop.example.com zone. But to reach that zone, you must already know the IP of that NS server. Resolving the child zone's NS name requires reaching the child zone's NS — a chicken-and-egg circular dependency.

So the parent zone attaches the address of ns1.shop.example.com as auxiliary data, letting the recursive resolver take its first step. That is glue. The name caught on in the DNS community because the record acts like glue (an adhesive) that bonds the parent zone to the child zone across the delegation boundary.

Practical caution:
When you move across cloud DNS and registrar UIs, it is easy to get pulled toward "which screen did I set this in?" What matters is not the UI location but which zone is authoritative right now.

Practice 2-3 — Where does the baton pass from parent to child

Confirm what the parent returns for an already-delegated name.

Chapter 2 / Practice 5

Q10. Seen from the parent zone `example.com`, what is the most likely way it responds to a query for `api.shop.example.com A`? Assume `shop.example.com` has been delegated to a separate zone.

A The parent zone returns the final A record as an authoritative answer B The parent zone returns NXDOMAIN C The parent zone returns a referral pointing to the child zone's NS records D The parent zone returns HTTPS content

Show hint

The parent does not hold authoritative data for the child — it says "please go on from here."

Key takeaways from this chapter

A domain is a namespace; a zone is a boundary of authoritative management
When you delegate, a zone cut appears and the parent returns a referral
Glue is the first foothold that breaks the circular dependency

Hierarchy and delegation — zones and responsibility

Domains are a tree of names; zones are a scope of responsibility

Practice 2-1 — Separate namespace from scope of responsibility

Q6. Which is the most correct description of the relationship between a domain and a zone?

Q7. Suppose the parent holds example.com, and both shop.example.com and eu.shop.example.com are delegated to their own separate sets of NS records. Viewed as units of authoritative management, how many zones are there?

What happens at a zone cut

Practice 2-2 — Confirm what is returned at the delegation boundary

Q8. When the authoritative server name for shop.example.com is something like ns1.shop.example.com — i.e. it lives under the child zone — what is the main reason glue is needed in the parent zone?

Q9. At the apex of a child zone, which records are usually placed first as part of being a delegated zone? Select all that apply.

Glue is "the first foothold"

Practice 2-3 — Where does the baton pass from parent to child

Q10. Seen from the parent zone example.com, what is the most likely way it responds to a query for api.shop.example.com A? Assume shop.example.com has been delegated to a separate zone.

Key takeaways from this chapter

Q7. Suppose the parent holds `example.com`, and both `shop.example.com` and `eu.shop.example.com` are delegated to their own separate sets of NS records. Viewed as units of authoritative management, how many zones are there?

Q8. When the authoritative server name for `shop.example.com` is something like `ns1.shop.example.com` — i.e. it lives under the child zone — what is the main reason glue is needed in the parent zone?

Q10. Seen from the parent zone `example.com`, what is the most likely way it responds to a query for `api.shop.example.com A`? Assume `shop.example.com` has been delegated to a separate zone.